RSA has outlined the attack announced last month that saw the company lose …

Share this story

Security firm RSA announced in March that it had been the victim of a hack that it described as "extremely sophisticated." The company has now shared some details of the attack. "Extremely sophisticated"? More like "run-of-the-mill."

A spear-phishing e-mail was sent to two small groups within the company. Though the e-mail was automatically marked as Junk, the subject of the message ("2011 Recruitment Plan") tricked one employee into opening it anyway. Attached to the mail was an Excel spreadsheet, "2011 Recruitment plan.xls". Embedded within the spreadsheet was a Flash movie that exploited a Flash vulnerability. Adobe has since released an emergency patch for the flaw.

The Flash movie's payload in turn installed a modified version of Poison Ivy. Poison Ivy is known as a RAT, a Remote Administration/Access Tool/Toolkit/Trojan. RATs allow remote access to files, the registry, monitoring of network access, starting and stopping programs, and more, making them extremely powerful: anything the user can do locally, the hacker can do remotely. While in principle RATs can have legitimate remote administration uses, their widespread usage by malware and silent operation means that most anti-malware software will detect and remove them.

With Poison Ivy installed, the attacker stole user credentials and escalated their privileges to gain access to secure systems that the originally compromised user didn't have access to. The attacker then used this system access to exfiltrate some amount of sensitive data, the nature of which RSA is still yet to reveal.

This kind of attack, where an attacker deploys malware inside an organization that allows continued interactive access that allows them to react to what they learn about the target's environment, is called an Advanced Persistent Threat (APT). APTs represent a significant threat to high-profile organizations. Among other targets, APTs were used in the Aurora attacks against Google (and others), and also in the attacks against the French and Canadian Finance Ministries earlier this year. The attacks all tend to follow a similar pattern—spear-phishing with a zero-day exploit to penetrate the organization and deploy long-lived malware, then a slow and careful process of learning more about the target and getting access to more sensitive systems.

While effective, however, it's a little hard to justify RSA's claims of extreme sophistication. This is not to say that the attackers were chumps, but judging by what RSA has revealed so far, no part of this attack broke new ground. The same pattern is being repeated with some regularity, and the tools to perform such attacks are within reach of any enterprising hacker.

High risk targets need to be aware of these attacks, and need to guard against them, with better user education (to avoid spear-phishing in the first place), better intrusion detection (to detect the unauthorized system access), and perhaps more aggressive heuristic-based anti-malware (to detect unknown malware variants and zero-day attacks).

RSA falling victim to such an attack is rich with irony. The company has both software and services designed to protect sensitive information and detect trojans, phishing, and similar attacks. To lose control of sensitive information after users were phished and had trojans installed on their systems is a damning indictment of RSA's own security offerings.

Perhaps in a bid to bolster these offerings, EMC, parent company of RSA, announced the purchase of NetWitness, a company specializing in malware detection and network security analysis software and services—the very tools instrumental in detecting APT attacks. NetWitness will operate as part of RSA.

As for RSA customers, the company is still refusing to describe exactly what information was compromised, an action which places those companies at continued risk. In a worst-case scenario, the attackers gained enough information to completely nullify the company's SecurID product, converting two-factor systems using a security token and a password into, effectively, single-factor, password-only systems. Failure to disclose means that those companies may believe their systems to be more secure than they actually are.